I've managed to create two network namespaces (ns1 and ns2) and connect them via veth connection. They can ping each other fine, and even ssh one into another (provided I started sshd).

What I would want to do now is to start some process inside ns1 (let's say vi) that can't be seen or atleast can't be modified/killed from ns2. Is that possible?

I tried using

unshare -p vi

on ns1 but it's still killable from ns2. I can understand it beeing killable from global/default network namespace since it's derived from it, but ns2 shouldn't be able to kill a process inside ns1. Atleast that's what I want to achieve. Any help would be appreciated.

Most Linux namespaces (types) don't have any "inheritance" relationship, but are in fact flat. For instance, see "Introspecting namespace relationships" (blog.man7.org/2016/12/…). The only hierarchical namespaces currently are the PID and user namespaces. Even mount namespaces have no inherent hierarchy from the namespace perspective itself. In this sense, network namespaces aren't special at all: it doesn't make sense for one network namespace to inherit (child) or contain (parent) other routing table entries, network interfaces, et cetera.
– TheDiveOJun 12 '18 at 20:17

Linux network namespaces are different from Linux PID namespaces, we need to clearly differentiate between them because they isolate completely different sets of system/OS resources.

Now, processes are said to join or reassociate with namespaces, such as a specific network namespace and another specific PID namespace. A process is always associated with many namespaces, but only with exactly one of each type (network, mount, PID, user, ...)

So when it comes to "seeing" and killing processes, this is a matter of access rights and PID spaces, so this is related to PID namespaces instead. "Seeing" may also relate to mount namespaces when it comes to seeing them in /proc.